Pwn2Own Automotive 2026 exposes dozens of zero-day vulnerabilities in connected cars and cargo stations, and distributes more than half a million dollars

During the first day of the Pwn2Own Automotive 2026 competition, held in Tokyo within the Automotive World event, security researchers demonstrated with facts why the connected systems of the cars and the electrical loading infrastructure remain a critical target: they managed to exploit dozens of zero-day vulnerabilities and took over half a million dollars just for compromising Tesla's infoentertainment system.

The event, organized by the Zero Day Initiative (ZDI) of Trend Micro, became an open exhibition of explosive chains, where small chained failures allow you to take control of devices that, in plain sight, only serve to play music or manage a loading point. ZDI itself publishes the calendar and the results of the event; in its blog, both the full programming and the first day report are available, which serve as a direct source of what happened ( agenda and day 1 results).

Among the outstanding teams, Synacktiv chained an information leak with an off-limit writing failure to scale root level privileges in Tesla's infoentertainment system through a USB attack, and also demonstrated root-level code execution on a Sony multimedia receiver. Other participants such as Fuzzware.io, PetoWorks or the group known as DDOS managed to break the defense of car loading stations and browsers, accumulating significant prizes for each successful explosion. In total, dozens of vulnerabilities were reported on the first day, with rewards in hundreds of thousands of dollars., which reflects the high assessment that industry and organizers give to this type of finding.

Why does it matter so much that you hack into an infoentertainment system or a loading station? Because in modern cars these components are no longer isolated: through internal networks, OTA updates or physical ports they can act as vectors to achieve critical elements such as the CAN driver, driver support systems or telemetry. In the case of cargo infrastructure, a vulnerability can allow from handling billing to interrupting the availability of cargo or, in extreme scenarios, affecting the physical safety of the vehicle or the local electricity supply.

Pwn2Own is a deliberate controlled risk exercise: researchers show actual exploits against up-to-date devices and, in exchange for a payment, report vulnerabilities to manufacturers to prepare patches. The ZDI applies a responsible disclosure window - the sellers have a repair time before the details are made public - and this policy seeks to balance the need for industry to fix failures with transparency about their existence. ZDI itself and Trend Micro explain on their channels how these processes work and why they are important for the global security of the connected ecosystem ( Zero Day Initiative).

The competition leaves two great lessons: first, that the systems that manage entertainment, navigation and cargo are complex enough to contain multiple exploitable failures; second, that the incentive security economy - direct payments for vulnerabilities - remains an effective way for companies to know and fix their problems before a malicious attacker abuses them.

In parallel to the tests on the stage, the calendar of the event announced that in the second day, attempts against specific chargers would be intensified, with several teams competing for compromising models such as the Grizzl-E Smart 40A, the Autel MaxiCharger or the ChargePoint Home Flex. Each successful attempt at root on these teams involved robust awards, a mechanics that attracts researchers specialized in hardware and firmware.

In order to better understand the importance of this type of exercise, it should be recalled that the regulations and guidelines of electronic security have advanced in recent years. Agencies and agencies such as the National Road Traffic Safety Administration of the United States (NHTSA) and international agencies have placed emphasis on practices and standards that seek to reduce the surface of attack on connected vehicles and their related infrastructure ( NHTSA - Cybersecurity). Collaboration between independent researchers, manufacturers and regulators is key for improvements to reach the circulating park.

In the end, public demonstrations like Pwn2Own act as a thermometer: they show real vulnerabilities, they inject urgency to apply patches and help define best practices in network design and segmentation within the vehicle. While seeing a Tesla or a cargo station being compromised may sound alarming, the objective of these events is precisely that these failures will be corrected before someone with criminal intentions can exploit them..

If you want to follow the ads and live updates, the official channels of the organization offer the detailed report of each challenge, as well as links to the responses of the manufacturers and the corrections published after the 90-day period set for the parking. To expand the context of the congress hosting the competition, the Automotive World website contains information about the event and the sessions in which Pwn2Own is developing ( Automotive World).

In short, while mobility is digitized and electrified, safety is a complementary requirement to a structural need. Events like Pwn2Own Automotive not only reward those who find failures, but help build an ecosystem where cars and load networks are more reliable to all.